Vulnerability Description
Querybook is an open source data querying UI. In affected versions user provided data is not escaped in the error field of the auth callback url in `querybook/server/app/auth/oauth_auth.py` and `querybook/server/app/auth/okta_auth.py`. This may allow attackers to perform reflected cross site scripting (XSS) if Content Security Policy (CSP) is not enabled or `unsafe-inline` is allowed. Users are advised to upgrade to the latest, patched version of querybook (version 3.14.2 or greater). Users unable to upgrade may enable CSP and not allow unsafe-inline or manually escape query parameters in a reverse proxy.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Querybook | < 3.14.2 |
Related Weaknesses (CWE)
References
- https://github.com/pinterest/querybook/commit/88a7f10495bf5ed1a556ade51a2f2794e4PatchThird Party Advisory
- https://github.com/pinterest/querybook/security/advisories/GHSA-mrrw-9wf7-xq6wMitigationThird Party Advisory
- https://github.com/pinterest/querybook/commit/88a7f10495bf5ed1a556ade51a2f2794e4PatchThird Party Advisory
- https://github.com/pinterest/querybook/security/advisories/GHSA-mrrw-9wf7-xq6wMitigationThird Party Advisory
FAQ
What is CVE-2022-46151?
CVE-2022-46151 is a vulnerability with a CVSS score of 6.3 (MEDIUM). Querybook is an open source data querying UI. In affected versions user provided data is not escaped in the error field of the auth callback url in `querybook/server/app/auth/oauth_auth.py` and `query...
How severe is CVE-2022-46151?
CVE-2022-46151 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-46151?
Check the references section above for vendor advisories and patch information. Affected products include: Pinterest Querybook.